Skip to main content


VMWare Workspace ONE SAML application setup

This manual shows you how to set up HelloID as IDP for VMWare Workspace ONE, using the SAML protocol. The configuration takes place in HelloID and in the VMWare Workspace ONE admin center.


  • HelloID environment

  • VMWare Workspace ONE

Create or Import a Certificate

If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.

HelloID Application Setup
Add the VMWare Workspace ONE Application to HelloID

Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "VMWare Workspace ONE". Find the SAML template, and click Add. Learn more about managing applications here.

General tab

On the General tab, fill the default login URL with the VMWare Workspace ONE URL.

Optionally, you may also add a description. Click Next.

Single Sign-on tab

On the Single Sign-On tab, perform the following steps:

  1. The Name ID format should be emailaddress, but can be changed. When you change this, you need to change it also in VMWare Workspace ONE.

  2. The Endpoint URL is the endpoint provided by Workspace ONE. This will be the AssertionService URL of the specific Workspace ONE instance.

  3. The SP-initiated URL is the same as the Endpoint URL

  4. Keep the Sign Assertion option selected.

  5. In the X509 Certificate dropdown, select the certificate that you created or imported previously.

  6. The Custom Digest method can be the default.

  7. The Custom signature methos can be the default.

  8. Click Next.

Self service tab

On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable. This is optional. Click Next.

Finish tab

On the Finish tab, click Save to add the application to HelloID.

Application metadata

After saving the VMWare Workspace ONE application, click its Edit link on the applications overview. This will bring you to its properties page.

You now have two options to obtain the application metadata.

Static metadata (download)

You can simply click Download metadata at the right top of the screen and save the file to your local computer for later use in VMWare Workspace ONE.

Dynamic Metadata (URL)

You can copy the link address (something along the lines of and replace 'download' with 'index' to view the metadata.

Hiding the application

On the Edit page of the VMWare Workspace ONE application select Hide application.

VMWare Workspace ONE Configuration
Configuring VMWare Workspace ONE

After the Identity Provider has been configured, you can continue configuring VMWare Workspace ONE. To do so, follow the steps below:

Edit the general system settings

Sign in to VMWare Workspace ONE using an account with admin rights

Go to the Directory Services settings

On the Server tab, import the metadata XML file that you downloaded in the previous step. The setting will be configured automatically in VMWare Workspace ONE.


1) Change the Request binding type to POST

2) Change the NameID format to "Email Address"

3) Change the Authentication Response Security to "Validate Assertion Signatures"

4) Click Save mceclip14.png

On the User tab make sure that the User Search Filter is:


This will be necessary for internally enrollment of the user to VMWare Workspace ONE.

Fill the Attributes with the following values:

Object identifier


Display Name


First Name


Last Name


Email address


Please leave the other attributes on their default value.


Click Save

You have now successfully configured SSO for VMWare Workspace ONE in HelloID.